How to: Programmatically Enable WIF on a WCF Service

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

Windows® Identity Foundation (WIF) provides easy integration with Windows Communication Foundation (WCF). This lets a WCF service use WIF’s features, such as the new claims model, support for additional security token types (SAML 2.0), and token handling. This topic shows how to do this.

To Enable Windows Identity Foundation in a Self-Hosted WCF Service

  1. In Visual Studio, add a reference to the WIF assembly (Microsoft.IdentityModel.dll) to the WCF service project.

  2. Add code that calls the ConfigureServiceHost method and passes it a service host instance for which to enable WIF. You must do this before you call ServiceHost.Open() on that instance. This method makes the necessary changes to the ServiceHost instance settings to integrate WIF’s features with the WCF message processing pipeline.


    You should only call ConfigureServiceHost after you have done all configuration of the ServiceHost. For example, if you update the service certificate on ServiceHost.Credentials after you call ConfigureServiceHost, your update will not be reflected in the SecurityTokenHandler.

The following code sample shows how to do this:

using (ServiceHost host = new ServiceHost(typeof(ClaimsAwareWebService), new Uri("https://localhost:6020/ClaimsAwareWebService")))
// Configure WIF on the service host.
// This attempts to read the web.config/app.config file and load any
// settings from the <Microsoft.IdentityModel> configuration section.


     Console.WriteLine(“Service is ready, press ENTER to close ...”);


To Enable Windows Identity Foundation in a Web-Hosted WCF Service

You can configure your Web-hosted service to use WIF by making the following configuration changes:

  • Add a <behaviorConfiguration> (if one doesn’t already exist):

    <service name="Service" behaviorConfiguration="ClaimsBehavior">
  • Reference the behavior in your configuration:

            <behavior name="ClaimsBehavior" > 
    <!-- Behavior extension to make the service claims aware -->
  • Define the behavior as an extension:

    <!-- This behavior extension will enable the service host to be Claims aware -->
            <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>